As we previously reported, the Magistrate Judge in In re: Capital One Customer Data Security Breach Litigation, found that a forensic report that Capital One had claimed was protected by the privilege and work product doctrines needed to be produced because Capital One had not met its burden under the dual-purpose doctrine to show that the report was protected. In re: Capital One Customer Data Sec. Breach Litig. (“Magistrate’s Order”). The forensic report at issue (the “Report”) related to a 2019 data breach where a hacker purportedly accessed and stole highly sensitive customer information from Capital One’s online cloud environment (the “Breach”). Capital One hired outside counsel to investigate the Breach and to help the company prepare for anticipated litigation and regulatory inquiries. To assist counsel’s investigation, outside counsel engaged a cybersecurity consultant (“Consultant”). As developed in the Magistrate’s Order, Capital One had used this same Consultant prior to the Breach in the normal course of its business.
I. The Attorney-Client Privilege and Work Product Doctrine in the United States and Abroad
The attorney-client privilege and work product doctrine are important and well-known concepts to nearly every lawyer in the United States. Generally, the attorney-client privilege shields from disclosure confidential communications between attorneys and clients for the purpose of seeking or rendering legal advice, while the work product doctrine guards documents or other tangible things prepared in anticipation of litigation by or for a party.[i] The United States affords litigants and lawyers relatively broad protections under these doctrines through the Federal Rules of Evidence and Civil Procedure or, as appropriate, analogous provisions under state law.